Secure aggregate maximum system, secure aggregate minimum system, secure computation apparatus, secure aggregate maximum method, secure aggregate minimum method, and program

ABSTRACT

An aggregate maximum is efficiently obtained while keeping confidentiality. A flag converting part (12) converts a form of a share of a flag representing a last element of a group. A flag applying part (13) generates a share of a vector in which a value of a value attribute is set if a flag representing the last element of the group is true, and a predetermined value is set if the flag is false. A sorting part (14) generates a share of a sorted vector obtained by sorting the vector with a permutation which moves elements so that the last elements of each group are sequentially arranged from beginning. An output part (15) generates and outputs a share of a vector representing a maximum of each group from the sorted vector.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is based on PCT filing PCT/JP2019/016986, filedApr. 22, 2019, which claims priority to JP 2018-084115, filed Apr. 25,2018, the entire contents of each are incorporated herein by reference.

TECHNICAL FIELD

The present invention relates to a secure computation technique, and,particularly, relates to a technique of computing an aggregate functionwhile keeping confidentiality.

BACKGROUND ART

An aggregate function is an operation for obtaining statistics groupedbased on a value of a key attribute when a table includes a keyattribute and a value attribute. The aggregate function is also referredto as a group-by operation. The key attribute is an attribute to be usedfor grouping records of the table, and, examples of the key attributecan include, for example, an official position, gender, or the like. Thevalue attribute is an attribute to be used for computing statistics,and, examples of the value attribute can include, for example, salary,body height, or the like. The group-by operation is, for example, anoperation for obtaining average body height by gender in a case wherethe key attribute is gender, or the like. The key attribute may be acomposite key including a plurality of attributes, and, for example, ina case where the key attributes are gender and age, the group-byoperation may be an operation for obtaining average body height of malesin their teens, average body height of males in their twenties, . . . .Non-patent literature 1 discloses a method for performing the group-byoperation using secure computation.

An aggregate maximum is one of the aggregate functions, and is anoperation for obtaining a maximum of a desired value attribute for eachgroup when the table is grouped based on the value of the key attribute.The aggregate maximum is also referred to as a group-by maximum. Thegroup-by maximum is, for example, an operation for obtaining a maximumamount of salary of males in their teens, a maximum amount of salary ofmales in their twenties, . . . , when the key attributes are gender andage, and the value attribute is salary.

An aggregate minimum is one of the aggregate functions, and is anoperation for obtaining a minimum of a desired value attribute for eachgroup when the table is grouped based on the value of the key attribute.The aggregate minimum is also referred to as a group-by minimum. Thegroup-by minimum is, for example, an operation for obtaining a minimumamount of salary of males in their teens, a minimum amount of salary ofmales in their twenties, . . . , when the key attributes are gender andage, and the value attribute is salary.

PRIOR ART LITERATURE Non-Patent Literature

-   Non-patent literature 1: Dai Ikarashi, Koji Chida, Koki Hamada, and    Katsumi Takahashi, “Secure Database Operations Using An Improved    3-party Verifiable Secure Function Evaluation”, The 2011 Symposium    on Cryptography and Information Security, 2011.

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

In a conventional secure computation technique, the number of times ofcommunication of log(n) where n is the number of subjects to performcomputation is required to obtain a group-by maximum/minimum, which isinefficient.

In view of the technical problem as described above, an object of thepresent invention is to provide a technique which is capable ofefficiently obtaining a group-by maximum/minimum while keepingconfidentiality.

Means to Solve the Problem

To solve the above-described problem, a secure aggregate maximum systemaccording to a first aspect of the present invention is a secureaggregate maximum system including a plurality of secure computationapparatuses, m being an integer equal to or greater than 2, [v]:=[v₀], .. . , [v_(m−1)] being a share obtained by secret sharing a desired valueattribute v:=v₀, . . . , v_(m−1) when a table including a key attributeand a value attribute is stably sorted based on a value of the valueattribute and a value of the key attribute, [e]:=[e₀], . . . , [e_(m−1)]being a share obtained by secret sharing a flag e:=e₀, . . . , e_(m−1)indicating that a last element of each group is true and other elementsare false when the table is grouped based on the value of the keyattribute, {{σ}} being a share obtained by secret sharing a permutationσ which moves elements so that the last elements of each group aresequentially arranged from beginning when the table is grouped based onthe value of the key attribute, and g being a maximum number of thegroups, each of the secure computation apparatuses comprising a flagapplying part configured to generate a share [f] which becomes a vectorf:=f₀, . . . , f_(m−1), when reconstructed, by setting [v_(i)] at[f_(i)] if [e_(i)] is true, and setting a predetermined fixed value at[f_(i)] if [e_(i)] is false for each integer i equal to or greater than0 and equal to or less than m−1 using the share [v] and the share [e], asorting part configured to generate a share [σ(f)] which becomes asorted vector σ(f) obtained by sorting the vector f with the permutationσ, when reconstructed, using the share [f] and the share {{σ}}, and anoutput part configured to generate a share [x] which becomes a vectorx:=σ(f)₀, . . . , σ(f)_(min(g,m)−)1 representing a maximum of eachgroup, when reconstructed, using the share [σ(f)].

To solve the above-described problem, a secure aggregate minimum systemaccording to a second aspect of the present invention is a secureaggregate minimum system including a plurality of secure computationapparatuses, m being an integer equal to or greater than 2, [v]:=[v₀], .. . , [v_(m−1)] being a share obtained by secret sharing a desired valueattribute v:=v₀, . . . , v_(m−1) when a table including a key attributeand a value attribute is stably sorted based on a value of the valueattribute and a value of the key attribute, [e]:=[e₀], . . . , [e_(m−1)]being a share obtained by secret sharing a flag e:=e₀, . . . , e_(m−1)indicating that a last element of each group is true and other elementsare false when the table is grouped based on the value of the keyattribute, {{σ}} being a share obtained by secret sharing a permutationσ which moves elements so that the last elements of each group aresequentially arranged from beginning when the table is grouped based onthe value of the key attribute, and g being a maximum number of thegroups, each of the secure computation apparatuses comprising a flagshifting part configured to generate a share [e′] which becomes a flage′:=e′₀, . . . , e′_(m−1), when reconstructed, by setting [e_(i−1)] at[e′_(i)] for each integer i equal to or greater than 1 and equal to orless than m−1 and setting true at [e′₀] using the share [e], a flagapplying part configured to generate a share [f′] which becomes a vectorf′:=f′₀, . . . , f′_(m−1), when reconstructed, by setting [v_(i)] at[f′_(i)] if [e′_(i)] is true, and setting a predetermined fixed value at[f′_(i)] if [e′_(i)] is false for each integer i equal to or greaterthan 0 and equal to or less than m−1 using the share [v] and the share[e′], a sorting part configured to generate a share [σ(f′)] whichbecomes a sorted vector σ(f′) obtained by sorting the vector f′ with thepermutation σ, when reconstructed, using the share [f′] and the share{{σ}}, and an output part configured to generate a share [x′] whichbecomes a vector x′:=σ(f′)₀, . . . , σ(f′)_(min(g,m)−1) representing aminimum of each group, when reconstructed, using the share [σ(f′)].

Effect of the Invention

According to a secure aggregate maximum/minimum technique of the presentinvention, it is possible to efficiently obtain a group-bymaximum/minimum with the number of times of communication of O(1) whilekeeping confidentiality.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram illustrating a functional configuration of a secureaggregate maximum/minimum system;

FIG. 2 is a diagram illustrating a functional configuration of a securecomputation apparatus;

FIG. 3 is a diagram illustrating a processing procedure of a secureaggregate maximum method;

FIG. 4 is a diagram illustrating a processing procedure of a secureaggregate minimum method; and

FIG. 5 is a diagram illustrating a functional configuration of a securecomputation apparatus of a modification.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the present invention will be described in detail below.Note that the same reference numerals will be assigned to componentshaving the same functions in the drawings, and overlapped descriptionwill be omitted.

[x]∈[F] indicates that a certain value x is concealed through secretsharing, or the like, on an arbitrary ring F. {b}∈{B} indicates that acertain value b of one bit is concealed through secret sharing, or thelike, on a ring B which can represent one bit. {{s}}∈{{S_(m)}} indicatesthat a certain permutation s which belongs to a set S_(m) ofpermutations of m elements is concealed through secret sharing, or thelike. Hereinafter, a secret shared value will be referred to as a“share”.

In sort processing (including stable sort) in secure computation used inthe embodiment, for example, sort disclosed in the following Referenceliterature 1 can be used. Concerning the share {{s}} of the permutations, it is only necessary to use a hybrid permutation {{π}} disclosed inthe following Reference literature 1.

[Reference literature 1] Dai Ikarashi, Koki Hamada, Ryo Kikuchi, andKoji Chida, “A Design and an Implementation of Super-high-speedMulti-party Sorting: The Day When Multi-party Computation ReachesScripting Languages”, Computer Security Symposium 2017.

First Embodiment Secure Aggregate Maximum System

A first embodiment of the present invention is a secure aggregatemaximum system and method for obtaining a group-by maximum. Aconfiguration example of the secure aggregate maximum system 100 of thefirst embodiment will be described with reference to FIG. 1. The secureaggregate maximum system 100 includes N (≥2) secure computationapparatuses 1 ₁, . . . , 1 _(N). In the present embodiment, the securecomputation apparatuses 1 ₁, . . . , 1 _(N) are respectively connectedto a communication network 9. The communication network 9 is acommunication network of a circuit switching system or a packetswitching system, configured so that respective connected apparatusescan perform communication with each other, and, for example, theInternet, a local area network (LAN), a wide area network (WAN), or thelike, can be used. Note that the respective apparatuses do notnecessarily have to be able to perform communication online via thecommunication network 9. For example, it is also possible to employ aconfiguration where information which is to be input to the securecomputation apparatuses 1 ₁, . . . , 1 _(N) is stored in a portablerecording medium such as a magnetic tape and a USB memory, and theinformation is input from the portable recording medium to the securecomputation apparatuses 1 ₁, . . . , 1 _(N) offline.

A configuration example of the secure computation apparatuses 1 _(n)(n=1, . . . , N) included in the secure aggregate maximum system 100 ofthe present embodiment will be described with reference to FIG. 2. Forexample, as illustrated in FIG. 2, the secure computation apparatus 1_(n) includes an input part 10, a flag converting part 12, a flagapplying part 13, a sorting part 14 and an output part 15. By thissecure computation apparatus 1 _(n) (1≤n≤N) performing processing ineach step which will be described later while cooperating with anothersecure computation apparatus 1 _(n′) (n′=1, . . . , N, where n≠n′), thesecure aggregate maximum method of the first embodiment is implemented.

The secure computation apparatus 1 _(n) is a special apparatusconfigured by a special program being loaded to a publicly-known ordedicated computer having, for example, a central processing unit (CPU),a main memory (RAM: random access memory), or the like. The securecomputation apparatus 1 _(n), for example, executes respective kinds ofprocessing under control by the central processing unit. Data input tothe secure computation apparatus 1 _(n) and data obtained through therespective kinds of processing are stored in, for example, the mainmemory, and the data stored in the main memory is read out to thecentral processing unit as necessary and is utilized for otherprocessing. At least part of respective processing parts of the securecomputation apparatus 1 _(n) may be configured with hardware such as anintegrated circuit.

A processing procedure of the secure aggregate maximum method to beexecuted by the secure aggregate maximum system 100 of the firstembodiment will be described with reference to FIG. 3.

In step S10, the input part 10 of each secure computation apparatus 1_(n) receives a share [v]∈[F]^(m) obtained by concealing a valueattribute v∈F^(m) through secret sharing, a share {e}∈{B}^(m) obtainedby concealing a flag e∈B^(m) through secret sharing, a share{{σ}}∈{{S_(m)}} obtained by concealing a permutation σ through secretsharing, and a maximum number of groups g, as input. m is an integerequal to or greater than 2. The input part 10 outputs the share {e} ofthe flag e to the flag converting part 12, outputs the share [v] of thevalue attribute v to the flag applying part 13, and outputs the share{{σ}} of the permutation σ to the sorting part 14.

The value attribute v is a value attribute after a table is stablysorted in ascending order of a value attribute and a key attribute. Notethat stable sort is an operation of storing order of elements of thesame value in a case where elements of the same value exist, among sortoperations. For example, if a table sorted in order of employee numberis stably sorted with gender, a sort result in which order of theemployee number is kept in each type of gender can be obtained. In otherwords, the value attribute v is a value attribute after a table issorted in ascending order of a value of the value attribute for eachgroup. Hereinafter, there is a case where each element of [v]∈[F]^(m) isreferred to by [v_(i)]∈[F] (i=0, . . . , m−1).

The flag e is a flag representing a boundary of groups. For example, theflag e is a flag such that, when the table is stably sorted with a keyattribute, and when records having the same value of the key attributeare put into the same group, a value corresponding to a last element(that is, an element immediately before the boundary of groups) of eachgroup is true (for example, 1), and values corresponding to the otherelements are false (for example, 0). Hereinafter, there is a case whereeach element of {e}∈{B}^(m) is referred to by {e_(i)}∈{B} (i=0, . . . ,m−1).

The permutation σ is a permutation which arranges values of keyattributes of each group from the head one by one. For example, thepermutation σ is a permutation which moves elements so that, when thetable is stably sorted with a key attribute, and when records having thesame value of the key attribute are put into the same group, the lastelements of each group are sequentially arranged from beginning, andsubsequently, other elements are sequentially arranged. The share {{σ}}of the permutation σ is only required to be configured using the hybridpermutation {{π}} disclosed in the above-described Reference literature1.

The maximum number of groups g is the number of combinations of valueswhich the key attribute can take, that is, the number of types of valueswhich the key attribute can take.

In step S12, the flag converting part 12 of each secure computationapparatus 1 _(n) converts the share {e}∈{B}^(m) of the flag e into ashare [e]∈[F]^(m) through secret sharing on an arbitrary ring F. Theflag converting part 12 outputs the share [e] of the flag e to the flagapplying part 13.

In step S13, the flag applying part 13 of each secure computationapparatus 1 _(n) generates a share [f]∈[F]^(m) which becomes a vectorf:=f₀, . . . , f_(m−1)∈F, when reconstructed, by setting[f_(i)]:=[e_(i)?v_(i):0] for each integer i equal to or greater than 0and equal to or less than m−1 using the share [v] of the value attributev and the share [e] of the flag e. Here, “?” is a conditional operator(ternary operator). In other words, when [e_(i)] is true (for example,[e_(i)]=[1]), [f_(i)]:=[v_(i)] is set, while, when [e_(i)] is false (forexample, [e_(i)]=[0]), [f_(i)]:=[0] is set. A value set when [e_(i)]=[0]does not have to be 0, and may be any value if the value is a valuewhich the value attribute v never takes. The vector f becomes a vectorin which, when records having the same value of the key attribute areput into the same group when the table is stably sorted with the keyattribute, at the last element f_(i) of each group, a value v_(i) of avalue attribute corresponding to the element is set, and at otherelements, 0 is set. In other words, the vector f becomes a vector whichhas a maximum of each group and 0 as elements. The flag applying part 13outputs a share [f] of the vector f to the sorting part 14.

In step S14, the sorting part 14 of each secure computation apparatus 1_(n) generates a share [σ(f)]∈[F]^(m) which becomes a sorted vector σ(f)obtained by sorting the vector f with the permutation σ, whenreconstructed, using the share [f] of the vector f and the share {{σ}}of the permutation σ. Hereinafter, there is a case where each element of[σ(f)]∈[F]^(m) is referred to by [σ(f)_(i)]∈[F] (i=0, . . . , m−1). Thesorted vector σ(f) becomes a vector in which, at elements correspondingto the number of groups from the head, a value of the last element (thatis, a maximum of each group) when the table is sorted for each group, isset, and at subsequent elements, 0 is set. The sorting part 14 outputsthe share [σ(f)] of the sorted vector σ(f) to the output part 15.

In step S15, the output part 15 of each secure computation apparatus 1_(n) generates a share [x]∈[F]^(min(g,m)) which becomes a vectorx:=σ(f)₀, . . . , σ(f)_(min(g,m)−1) representing the maximum of eachgroup, when reconstructed, from the share [σ(f)] of the sorted vectorσ(f), and outputs the share [x] of the maximum x.

Second Embodiment Secure Aggregate Minimum System

A second embodiment of the present invention is a secure aggregateminimum system and method for obtaining a group-by minimum. Aconfiguration example of a secure aggregate minimum system 101 of thesecond embodiment will be described with reference to FIG. 1. The secureaggregate minimum system 101 includes N (≥2) secure computationapparatuses 2 ₁, . . . , 2 _(N). In the present embodiment, the securecomputation apparatuses 2 ₁, . . . , 2 _(N) are respectively connectedto the communication network 9. The communication network 9 is acommunication network of a circuit switching system or a packetswitching system, configured so that respective connected apparatusescan perform communication with each other, and, for example, theInternet, a local area network (LAN), a wide area network (WAN), or thelike, can be used. Note that the respective apparatuses do notnecessarily have to be able to perform communication online via thecommunication network 9. For example, it is also possible to employ aconfiguration where information which is to be input to the securecomputation apparatuses 2 ₁, . . . , 2 _(N) is stored in a portablerecording medium such as a magnetic tape and a USB memory, and theinformation is input from the portable recording medium to the securecomputation apparatuses 2 ₁, . . . , 2 _(N) offline.

A configuration example of the secure computation apparatus 2 _(n) (n=1,. . . , N) included in the secure aggregate minimum system 101 of thepresent embodiment will be described with reference to FIG. 2. Forexample, as illustrated in FIG. 2, the secure computation apparatus 2_(n) further includes a flag shifting part 11 in addition to processingparts provided at the secure computation apparatus 1 _(n) included inthe secure aggregate maximum system 100 of the first embodiment. By thissecure computation apparatus 2 _(n) (1≤n≤N) performing processing ineach step which will be described later while cooperating with anothersecure computation apparatus 2 _(n′) (n′=1, . . . , N, where n≠n′), thesecure aggregate minimum method of the second embodiment is implemented.

A processing procedure of the secure aggregate minimum method to beexecuted by the secure aggregate minimum system 101 of the secondembodiment will be described with reference to FIG. 4.

In step S10, the input part 10 of each secure computation apparatus 2_(n) receives a share [v]∈[F]^(m) obtained by concealing a valueattribute v∈F^(m) through secret sharing, a share {e}∈{B}^(m) obtainedby concealing a flag e∈B^(m) through secret sharing, a share{{σ}}∈{{S_(m)}} obtained by concealing a permutation σ through secretsharing, and a maximum number of groups g, as input. The input part 10outputs the share {e} of the flag e to the flag shifting part 11,outputs the share [v] of the value attribute v to the flag applying part13, and outputs the share {{σ}} of the permutation σ to the sorting part14.

In step S11, the flag shifting part 11 of each secure computationapparatus 2 _(n) generates a share {e′}∈{B}^(m) which becomes a flage′:=e′₀, . . . , e′_(m−1) ∈B^(m), when reconstructed, by setting{e′_(i)}:={e_(i−1)} for each integer 1 equal to or greater than 1 andequal to or less than m−1 and setting {e′₀}:={1} using the share {e} ofthe flag e. Because the flag e′ is a flag obtained by shifting the flage indicating the last element of each group backward one by one, theflag e′ becomes a flag indicating a first element of each group (thatis, an element immediately after the boundary between groups). The flagshifting part 11 outputs the share {e′} of the flag e′ to the flagconverting part 12.

In step S12, the flag converting part 12 of each secure computationapparatus 2 _(n) converts the share {e′}∈{B}^(m) of the flag e′ into ashare [e′]∈[F]^(m) through secret sharing on an arbitrary ring F. Theflag converting part 12 outputs the share [e′] of the flag e′ to theflag applying part 13.

In step S13, the flag applying part 13 of each secure computationapparatus 2 _(n) generates a share [f′]∈[F]^(m) which becomes a vectorf′:=f′₀, . . . , f′_(m−1)∈F, when reconstructed, by setting[f′]:=[e′_(i)?v_(i):0] for each integer i equal to or greater than 0 andequal to or less than m−1 using the share [v] of the value attribute vand the share [e′] of the flag e′. In other words, when [e′_(i)] is true(for example, [e′_(i)]=[1]), [f′_(i)]:=[v_(i)] is set, while, when[e′_(i)] is false (for example, [e′_(i)]=[0]), [f′_(i)]:=[0] is set. Avalue set when [e′_(i)]=[0] does not have to be 0, and may be any valueif the value is a value which the value attribute v never takes. Thevector f′ becomes a vector in which, when the table is stably sortedwith the key attribute, and records having the same value of the keyattribute are put into the same group, at a first element f′_(i) of eachgroup, a value v_(i) of the value attribute corresponding to the elementis set, and 0 is set at other elements. In other words, the vector f′becomes a vector which has a minimum of each group and 0 as elements.The flag applying part 13 outputs the share [f′] of the vector f′ to thesorting part 14.

In step S14, the sorting part 14 of each secure computation apparatus 2_(n) generates a share [σ(f′)]∈[F]^(m) which becomes a sorted vectorσ(f′) obtained by sorting the vector f′ with the permutation σ, whenreconstructed, using the share [f′] of the vector f′ and the share {{σ}}of the permutation σ. Hereinafter, there is a case where each element of[σ(f′)]∈[F]^(m) is referred to by [σ(f′)_(i)]∈[F] (i=0, . . . , m−1).The sorted vector σ(f′) becomes a vector in which, at elementscorresponding to the number of groups from the head, a value of a firstelement (that is, a minimum of each group) when the table is sorted foreach group, is set, and at subsequent elements, 0 is set. The sortingpart 14 outputs the share [σ(f′)] of the sorted vector σ(f′) to theoutput part 15.

In step S15, the output part 15 of each secure computation apparatus 2_(n) generates a share [x′]∈[F]^(min(g,m)) which becomes a vectorx′:=σ(f′)₀, . . . , σ(f′)_(min(g,m)−1) representing a minimum of eachgroup, when reconstructed, from the share [σ(f′)] of the sorted vectorσ(f′), and outputs the share [x′] of the minimum x′.

Modification

In the above-described embodiments, a configuration has been describedwhere the share [v] of the value attribute v, the share {e} of the flage, and the share {{σ}} of the permutation σ are input to the input part10. In a modification, a configuration will be described where a shareobtained by concealing the table through secret sharing, or the like, isinput to the input part 10, and, after the share [v] of the valueattribute v, the share {e} of the flag e, and the share {{σ}} of thepermutation σ are obtained, a group-by maximum/minimum is calculated inaccordance with the procedure described in the above-describedembodiments.

For example, as illustrated in FIG. 5, a secure computation apparatus 3_(n) (n=1, . . . , N) of the modification includes a bit decomposingpart 21, a group sort generating part 22, a bit string sorting part 23,a flag generating part 24, a key aggregate sort generating part 25 and avalue sorting part 26 in addition to respective processing partsprovided at the secure computation apparatus 1 _(n) (n=1, . . . , N) ofthe first embodiment and the secure computation apparatus 2 _(n) (n=1, .. . , N) of the second embodiment. Only a difference from the secureaggregate maximum system 100 of the first embodiment and the secureaggregate minimum system 101 of the second embodiment will be describedbelow.

The input part 10 of each secure computation apparatus 3 _(n) receives ashare [k₀], . . . , [k_(nk−1)]∈[F]^(m) obtained by concealing each ofn_(k) key attributes k₀, . . . , k_(nk−1)∈F^(m) through secret sharing,and a share [v′₀], . . . , [v′_(na−1)]∈[F]^(m) obtained by concealingeach of n_(a) value attributes v′₀, . . . , v′_(na−1)∈F^(m) throughsecret sharing, as input. However, n_(k) and n_(a) are integers equal toor greater than 1. Hereinafter, there is a case where each element of[k_(j)]∈[F]^(m) (j=0, . . . , n_(k)−1) is referred to by [k_(j, i)]∈[F](i=0, . . . , m−1). The input part 10 outputs shares [k₀], . . . ,[k_(nk−1)] of the key attributes k₀, . . . , k_(nk−1) to the bitdecomposing part 21. Further, the input part 10 outputs shares [v′₀], .. . , [v′_(na−1)] of the value attributes v′₀, . . . , v′_(na−1) to thevalue sorting part 26.

The bit decomposing part 21 of each secure computation apparatus 3 _(n)bit-decomposes and concatenates the shares [k₀], . . . , [k_(nk−1)] ofthe key attributes k₀, . . . , k_(nk−1) and obtains a share {b}∈{B}^(λ)which becomes a bit string b:=b₀, . . . , b_(m−1)∈B^(λ) which is acoupled bit expression of the key attributes k₀, . . . , k_(nk−1), whenreconstructed. Note that λ is a bit length of the bit string b, and asum of bit lengths of respective b_(i) (i=0, . . . , m−1). In otherwords, {b_(i)} is a bit string obtained by coupling bit expression ofthe i-th elements [k_(0, i)], . . . , [k_(nk−1,i)] of the respectiveshares [k₀], . . . , [k_(nk−1)] of the key attributes k₀, . . . ,k_(nk−1). The bit decomposing part 21 outputs the share {b} of the bitstring b to the group sort generating part 22.

The group sort generating part 22 of each secure computation apparatus 3_(n) generates a share {{σ₀}}∈{{S_(m)}} which becomes a permutation σ₀which stably sorts the bit string b in ascending order, whenreconstructed, using the share {b} of the bit string b. Because the bitstring b is a coupled bit expression of the key attributes k₀, . . . ,k_(nk−1), it can be said that the permutation σ₀ is an operation ofgrouping records by rearranging the records so that records having equalvalues of the key attributes k₀, . . . , k_(nk−1) are successive. Thegroup sort generating part 22 outputs the share {b} of the bit string band the share {{σ₀}} of the permutation σ₀ to the bit string sortingpart 23. Further, the group sort generating part 22 outputs the share{{σ₀}} of the permutation σ₀ to the value sorting part 26.

The bit string sorting part 23 of each secure computation apparatus 3_(n) obtains a share {b′}∈{B}^(λ) which becomes a sorted bit stringb′:=b′₀, . . . , b′_(m−1)∈B^(λ) obtained by sorting the bit string bwith the permutation σ₀, when reconstructed, using the share {b} of thebit string b and the share {{σ₀}} of the permutation σ₀. The bit stringsorting part 23 outputs the share {b′} of the sorted bit string b′ tothe flag generating part 24.

The flag generating part 24 of each secure computation apparatus 3 _(n)generates a share {e}∈{B}^(m) which becomes a flag e:=e₀, . . . ,e_(m−1)∈B^(m), when reconstructed, by setting {e_(i)}:={b′_(i)≠b′_(i+1)}for each integer i equal to or greater than 0 and equal to or less thanm−2 and setting {e_(m−1)}:={1}, using the share {b′} of the sorted bitstring b′. Because true is set at the flag e_(i) if the i-th elementb′_(i) of the sorted bit string b′ is different from the i+1-th elementb′_(i+1), the flag e_(i) becomes a flag which indicates the last elementof each group (that is, an element immediately before the boundarybetween groups). The flag generating part 24 outputs the share {e} ofthe flag e to the key aggregate sort generating part 25. Further, theflag generating part 24 outputs the share {e} of the flag e to the flagconverting part 12 or the flag shifting part 11.

The key aggregate sort generating part 25 of each secure computationapparatus 3 _(n) first generates a share {e″}∈{B}^(m) which becomes aflag e″ which is a negation ¬e of the flag e, when reconstructed, usingthe share {e} of the flag e. In other words, the key aggregate sortgenerating part 25 sets {e″_(i)}:={¬e_(i)} for each integer i equal toor greater than 0 and equal to or less than m−1. Then, the key aggregatesort generating part 25 generates a share {{σ}}∈{{S_(m)}} which becomesa permutation σ which stably sorts the flag e″ in ascending order, whenreconstructed, using the share {e″} of the flag e″. The key aggregatesort generating part 25 outputs the share {{σ}} of the permutation σ tothe value sorting part 26. Further, the key aggregate sort generatingpart 25 outputs the share {{σ}} of the permutation σ to the sorting part14.

The value sorting part 26 of each secure computation apparatus 3 _(n)generates shares [v₀], . . . , [v_(na−1)] which become sorted valueattributes v₀, . . . , v_(na−1) obtained by sorting value attributesv′₀, . . . , v′_(na−1) with the permutation σ₀, when reconstructed,using shares [v′₀], . . . , [v′_(na−1)] of the value attributes v′₀, . .. , v′_(na−1) and the share {{σ₀}} of the permutation σ₀. The valuesorting part 26 outputs shares for which it is desired to compute amaximum/minimum for each group among the shares [v₀], . . . , [v_(na−1)]of the sorted value attributes v₀, . . . , v_(na−1), to the flagapplying part 13 as the share [v] of the value attribute v.

While the embodiments of the present invention have been describedabove, it goes without saying that a specific configuration is notlimited to these embodiments, and design change, or the like, within thescope not deviating from the gist of the present invention areincorporated into the present invention. Various kinds of processingdescribed in the embodiments are executed not only in chronologicalorder in accordance with order of description, but also executed inparallel or individually in accordance with processing performance ofapparatuses which execute the processing or as necessary.

Program, Recording Medium

In a case where various kinds of processing functions of the respectiveapparatuses described in the above-described embodiments are realizedwith a computer, a processing content of the functions which should beprovided at the respective apparatuses is described with a program.Then, by this program being executed with the computer, various kinds ofprocessing functions at the above-described respective apparatuses arerealized on the computer.

The program describing this processing content can be recorded in acomputer-readable recording medium. As the computer-readable recordingmedium, any medium such as, for example, a magnetic recording apparatus,an optical disk, a magnetooptical recording medium and a semiconductormemory can be used.

Further, this program is distributed by, for example, a portablerecording medium such as a DVD and a CD-ROM in which the program isrecorded being sold, given, lent, or the like. Still further, it is alsopossible to employ a configuration where this program is distributed bythe program being stored in a storage device of a server computer andtransferred from the server computer to other computers via a network.

A computer which executes such a program, for example, first, stores aprogram recorded in the portable recording medium or a programtransferred from the server computer in the storage device of the owncomputer once. Then, upon execution of the processing, this computerreads out the program stored in the storage device of the own computerand executes the processing in accordance with the read program.Further, as another execution form of this program, the computer maydirectly read a program from the portable recording medium and executethe processing in accordance with the program, and, further,sequentially execute the processing in accordance with the receivedprogram every time the program is transferred from the server computerto this computer. Further, it is also possible to employ a configurationwhere the above-described processing is executed by so-called ASP(Application Service Provider) type service which realizes processingfunctions only by an instruction of execution and acquisition of aresult without the program being transferred from the server computer tothis computer. Note that, it is assumed that the program in the presentembodiment includes information which is to be used for processing by anelectronic computer, and which is equivalent to a program (not a directcommand to the computer, but data, or the like, having propertyspecifying processing of the computer).

Further, while, in this embodiment, the present apparatus is constitutedby a predetermined program being executed on the computer, at least partof the processing content may be realized with hardware.

What is claimed is:
 1. A secure aggregate maximum system comprising aplurality of secure computation apparatuses, m being an integer equal toor greater than 2, [v]: =[v₀], . . . , [v_(m−1)] being a share m−1obtained by secret sharing a desired value attribute v: =v₀, . . . ,v_(m−1) when a table including a key attribute and a value attribute isstably sorted based on a value of the value attribute and a value of thekey attribute, [e]: =[e₀], . . . , [e_(m−1)] being a share obtained bysecret sharing a flag e: =e₀, . . . , e_(m−1) indicating that a lastelement of each group is true and other elements are false when thetable is grouped based on the value of the key attribute, {{σ}} being ashare obtained by secret sharing a permutation a which moves elements sothat the last elements of each group are sequentially arranged frombeginning when the table is grouped based on the value of the keyattribute, and g being a maximum number of the groups, each of thesecure computation apparatuses comprising processing circuitryconfigured to: generate a share [f] which becomes a vector f: =f₀, . . ., f_(m−1), when reconstructed, by setting [v_(i)] at [f_(i)] if [e_(i)]is true, and setting a predetermined fixed value at [f_(i)] if [e_(i)]is false for each integer i equal to or greater than 0 and equal to orless than m−1 using the share [v] and the share [e], generate a share[σ(f)] which becomes a sorted vector σ(f) obtained by sorting the vectorf with the permutation σ, when reconstructed, using the share [f] andthe share {{σ}}, and generate a share [x] which becomes a vector x:=σ(f)₀, . . . , σ(f)_(min(g,m)−1) representing a maximum of each group,when reconstructed, using the share [σ(f)].
 2. The secure aggregatemaximum system according to claim 1, wherein F is an arbitrary ring,n_(k) is an integer equal to or greater than 1, [k₀], . . . , [k_(nk−1)]are shares obtained by secret sharing key attributes k₀, . . . ,k_(nk−1) ∈ F^(m), [v′] is a share obtained by secret sharing a desiredvalue attribute v′ ∈ F^(m) before the table is sorted based on the valueof the key attribute, and the processing circuitry is further configuredto: generate a share {{σ₀}} which becomes a permutation σ₀ which stablysorts a bit string b in ascending order, when reconstructed, from ashare {b} which becomes the bit string b: =b₀, . . . , b_(m−1) obtainedby bit-decomposing and coupling the key attributes k₀, . . . , whenreconstructed, using the shares [k₀], . . . , [k_(nk−1)]; generate ashare {b′} which becomes a sorted bit string b′: =b′₀, . . . , b′_(m−1)obtained by sorting the bit string b with the permutation σ₀, whenreconstructed, using the share {b} and the share {{σ₀}}; generate theshare {e} which becomes the flag e: =e₀, . . . , e_(m−1), whenreconstructed, by setting {e_(i)}:={b′_(i)≠b′_(i+1)} for each integer iequal to or greater than 0 and equal to or less than m−2 and setting{e_(m−1)}: ={1} using the share {b′}; generate the share {{σ}} whichbecomes the permutation a which stably sorts a denial ¬e of the flag ein ascending order, when reconstructed, using the share {e}; andgenerate a share [v] which becomes the value attribute v obtained bysorting the value attribute v′ with the permutation σ₀, whenreconstructed, using the share [v′] and the share {{σ₀}}.
 3. A secureaggregate minimum system comprising a plurality of secure computationapparatuses, m being an integer equal to or greater than 2, [v]: =[v₀],. . . , [v_(m−1)] being a share obtained by secret sharing a desiredvalue attribute v: =v₀, . . . , v_(m−1) when a table including a keyattribute and a value attribute is stably sorted based on a value of thevalue attribute and a value of the key attribute, [e]: =[e₀], . . . ,[e_(m−1)] being a share obtained by secret sharing a flag e: =e₀, . . ., e_(m−1) indicating that a last element of each group is true and otherelements are false when the table is grouped based on the value of thekey attribute, {{σ}} being a share obtained by secret sharing apermutation a which moves elements so that the last elements of eachgroup are sequentially arranged from beginning when the table is groupedbased on the value of the key attribute, and g being a maximum number ofthe groups, each of the secure computation apparatuses comprisingprocessing circuitry configured to: generate a share [e′] which becomesa flag e′: =e′₀, e′_(m−1), when reconstructed, by setting [e_(i−1)] at[e′_(i)] and setting true at [e′₀] for each integer i equal to orgreater than 1 and equal to or less than m−1 using the share [e];generate a share [f′] which becomes a vector f′: =f′₀, . . . , f′_(m−1),when reconstructed, by setting [v_(i)] at [f′_(i)] if [e′_(i)] is true,and setting a predetermined fixed value at [f′_(i)] if [e′_(i)] is falsefor each integer i equal to or greater than 0 and equal to or less thanm−1 using the share [v] and the share [e′]; generate a share [σ(f′)]which becomes a sorted vector σ(f′) obtained by sorting the vector fwith the permutation a, when reconstructed, using the share [f′] and theshare {{σ}}; and generate a share [x′] which becomes a vector x′:=σ(f′)₀, . . . , σ(f′)_(min(g,m)−1) representing a minimum of eachgroup, when reconstructed, using the share [σ(f)].
 4. The secureaggregate minimum system according to claim 3, wherein F is an arbitraryring, n_(k) is an integer equal to or greater than 1, [k₀], . . . ,[k_(nk−1)] are shares obtained by secret sharing key attributes k₀, . .. , k_(nk−1) ∈F^(m), and [V′] is a share obtained by secret sharing adesired value attribute v′ ∈F^(m) before the table is sorted based onthe value of the key attribute, and the processing circuitry is furtherconfigured to: generate a share {{σ}} which becomes a permutation σ₀which stably sorts a bit string b in ascending order, whenreconstructed, from a share {b} which becomes the bit string b: =b₀, . .. , b_(m−1) obtained by bit-decomposing and coupling the key attributesk₀, . . . , k_(nk−1), when reconstructed, using the shares [k₀], . . . ,[k_(nk−1)]; generate a share {b′} which becomes a sorted bit string b′:=b′₀, . . . , b′_(m−1) obtained by sorting the bit string b with thepermutation σ₀, when reconstructed, using the share {b} and the share{{σ₀}}; generate the share {e} which becomes the flag e:=e₀, . . . ,e_(m−1) when reconstructed, by setting {e_(i)}:={b′_(i)≠b′_(i+1)} foreach integer i equal to or greater than 0 and equal to or less than m−2and setting {e_(m−1)}: ={1} using the share {b′}; generate the share{{σ}} which becomes the permutation σ which stably sorts a denial of theflag e in ascending order, when reconstructed, using the share {e}; andgenerate a share [v] which becomes the value attribute v obtained bysorting the value attribute v′ with the permutation σ₀, whenreconstructed, using the share [v′] and the share {{σ₀}}.
 5. A securecomputation apparatus, m being an integer equal to or greater than 2,[v]: =[v₀], . . . , [v_(m−1)] being a share obtained by secret sharing adesired value attribute v: =v₀, . . . , v_(m−1) when a table including akey attribute and a value attribute is stably sorted based on a value ofthe value attribute and a value of the key attribute, [e]: =[e₀], . . ., [e_(m−1)] being a share obtained by secret sharing a flag e: =e₀, . .. , e_(m−1) indicating that a last element of each group is true andother elements are false when the table is grouped based on the value ofthe key attribute, {{σ}} being a share obtained by secret sharing apermutation a which moves elements so that the last elements of eachgroup are sequentially arranged from beginning when the table is groupedbased on the value of the key attribute, and g being a maximum number ofthe groups, the secure computation apparatus comprising processingcircuitry configured to: generate a share [f] which becomes a vector f:=f₀, . . . , f_(m−1), when reconstructed, by setting [v_(i)] at [f_(i)]if [e_(i)] is true, and setting a predetermined fixed value at [f_(i)]if [e_(i)] is false for each integer i equal to or greater than 0 andequal to or less than m−1 using the share [v] and the share [e],generate a share [σ(f)] which becomes a sorted vector σ(f) obtained bysorting the vector f with the permutation σ, when reconstructed, usingthe share [f] and the share {{σ}}, and generate a share [x] whichbecomes a vector x: =σ(f)₀, . . . , σ(f)_(min(g,m)−1) representing amaximum of each group, when reconstructed, using the share [σ(f)].
 6. Anon-transitory computer-readable recording medium including a programrecorded thereon for causing a computer to function as the securecomputation apparatus according to claim
 5. 7. A secure computationapparatus, m being an integer equal to or greater than 2, [v]: =[v₀], .. . , [v_(m−1)] being a share obtained by secret sharing a desired valueattribute v: =v₀, . . . , v_(m−1) when a table including a key attributeand a value attribute is stably sorted based on a value of the valueattribute and a value of the key attribute, [e]: =[e₀], . . . ,[e_(m−1)] being a share obtained by secret sharing a flag e: =e₀, . . ., e_(m−1) indicating that a last element of each group is true and otherelements are false when the table is grouped based on the value of thekey attribute, {{σ}} being a share obtained by secret sharing apermutation a which moves elements so that the last elements of eachgroup are sequentially arranged from beginning when the table is groupedbased on the value of the key attribute, and g being a maximum number ofthe groups, the secure computation apparatus comprising processingcircuitry configured to: generate a share [e′] which becomes a flag e′:=e′₀, . . . , e′_(m−1), when reconstructed, by setting [e_(i−1)] at[e′_(i)] for each integer i equal to or greater than 1 and equal to orless than m−1 and setting true at [e′₀] using the share [e]; generate ashare [f′] which becomes a vector f: =f′₀, . . . , f′_(m−1), whenreconstructed, by setting [v_(i)] at [f′_(i)] if [e′_(i)] is true, andsetting a predetermined fixed value at [f′_(i)] if [e′_(i)] is false foreach integer i equal to or greater than 0 and equal to or less than m−1using the share [v] and the share [e′], generate a share [σ(f′)] whichbecomes a sorted vector σ(f′) obtained by sorting the vector f with thepermutation σ, when reconstructed, using the share [(f′)] and the share{{σ}}; and generate a share [x′] which becomes a vector x′: =σ(f′)₀, . .. , σ(f′)_(min(g,m)−1) representing a minimum of each group, whenreconstructed, using the share [σ(f′)].
 8. A non-transitorycomputer-readable recording medium including a program recorded thereonfor causing a computer to function as the secure computation apparatusaccording to claim
 7. 9. A secure aggregate maximum method to beexecuted by a secure aggregate maximum system comprising a plurality ofsecure computation apparatuses, m being an integer equal to or greaterthan 2, [v]: =[v_(m−1)] being a share obtained by secret sharing adesired value attribute v: =v₀, . . . , v_(m−1) when a table including akey attribute and a value attribute is stably sorted based on a value ofthe value attribute and a value of the key attribute, [e]: =[e₀], . . ., [e_(m−1)] being a share obtained by secret sharing a flag e: =e₀, . .. , e_(m−1) indicating that a last element of each group is true andother elements are false when the table is grouped based on the value ofthe key attribute, {{σ}} being a share obtained by secret sharing apermutation a which moves elements so that the last elements of eachgroup are sequentially arranged from beginning when the table is groupedbased on the value of the key attribute, and g being a maximum number ofthe groups, the secure aggregate maximum method comprising: generating,by processing circuitry of each of the secure computation apparatuses, ashare [f] which becomes a vector f: =f₀, . . . , f_(m−1), whenreconstructed, by setting [v_(i)] at [f_(i)] if [e_(i)] is true, andsetting a predetermined fixed value at [f_(i)] if [e_(i)] is false foreach integer i equal to or greater than 0 and equal to or less than m−1using the share [v] and the share [e]; generating, by the processingcircuitry of each of the secure computation apparatuses, a share [σ(f)]which becomes a sorted vector σ(f) obtained by sorting the vector f withthe permutation σ, when reconstructed, using the share [f] and the share{{σ}}, and generating, by the processing circuitry of each of the securecomputation apparatuses, a share [x] which becomes a vector x′: =σ(f)₀,. . . , σ(f)_(min(g,m)−1) representing a maximum of each group, whenreconstructed, using the share [σ(f)].
 10. A secure aggregate minimummethod to be executed by a secure aggregate minimum system comprising aplurality of secure computation apparatuses, m being an integer equal toor greater than 2, [v]: =[v₀], . . . , [v_(m−1)] being a share obtainedby secret sharing a desired value attribute v: =v₀, . . . , v_(m−1) whena table including a key attribute and a value attribute is stably sortedbased on a value of the value attribute and a value of the keyattribute, [e]: =[e₀], . . . , [e_(m−1)] being a share obtained bysecret sharing a flag e: =e₀, . . . , e_(m−1) indicating that a lastelement of each group is true and other elements are false when thetable is grouped based on the value of the key attribute, {{σ}} being ashare obtained by secret sharing a permutation σ which moves elements sothat the last elements of each group are sequentially arranged frombeginning when the table is grouped based on the value of the keyattribute, and g being a maximum of the group, the secure aggregateminimum method comprising: generating, by processing circuitry of eachof the secure computation apparatuses, a share [e′] which becomes a flage′: =e′₀, . . . , e′_(m−1), when reconstructed, by setting [e_(i−1)] at[e′₁] for each integer i equal to or greater than 1 and equal to or lessthan m−1 and setting true at [e₀] using the share [e]; generating, bythe processing circuitry of each of the secure computation apparatuses,a share [f′] which becomes a vector f′: =f′₀, . . . , f′_(m−1), whenreconstructed, by setting [v_(i)] at [f′_(i)] if [e′] is true, andsetting a predetermined fixed value at [f′_(i)] if [e′_(i)] is false foreach integer i equal to or greater than 0 and equal to or less than m−1using the share [v] and the share [e′]; generating, by the processingcircuitry of each of the secure computation apparatuses, a share [σ(f)]which becomes a sorted vector σ(f′) obtained by sorting the vector f′with the permutation σ, when reconstructed, using the share [f′] and theshare {{σ}}; and generating, by the processing circuitry of each of thesecure computation apparatuses, a share [x′] which becomes a vector x′:=σ(f′)₀, . . . , σ(f′)_(min(g,m)−1) representing a minimum of eachgroup, when reconstructed, using the share [σ(f′)].